Recherche avancée

Sur d’autres sites (12663)

• Your guide to cookies, web analytics, and GDPR compliance

  25 février 2020, par Joselyn Khor — Analytics Tips, Privacy, Security
  It’s been almost two years since the GDPR came into effect and turned the online world on its head. Confusion around cookies/cookie consent/cookie compliance remains till today. So we’d like to take this chance to talk more about the supposed “big bad” of the latest century. 

  Online cookies seem to have a bad reputation, but are they as bad as they seem ?

  To start, what are cookies on the internet ?

  An internet cookie a.k.a. an HTTP cookie, is a small piece of data sent from websites that is stored on your computer or mobile when you visit that site.

  Are all cookies bad ?

  No. Cookies themselves are usually harmless as they can’t infect computers with malware. 

  They can also be helpful for both websites who use them and individuals visiting those websites. For example, when online shopping, cookies on ecommerce sites keep track of what you’re shopping for. If you didn’t have that tracking, your cart would be empty every time you moved away from that site.

  For businesses/websites, cookies can be used for authentication (logins) and tracking website user experience. For example, tracking multiple visits to the same site in order to provide better experiences to customers visiting their website.

  

  The not-so-sweet types of cookies :

  Cookies that contain personal data

  Another example of a bad cookie is when cookies contain personal data directly in the cookie itself. For example, when websites store demographics or your name in a cookie ; or when a website stores survey results in a cookie. Use of cookies in these ways is considered bad practice nowadays.

  Third-party cookies
  

  They can be used by websites to learn about your visit and activity across multiple websites. Cookies can enter harmful territory when employed for “big brother” types of tracking i.e. when they’re used to build a virtual fingerprint of individuals after their activity is tracked from website to website. For example most advertising networks create third party cookies in your browser when you view an ad, which lets these advertisers track users across these websites and let companies buy more targeted ads.

  Why does Matomo use cookies ?

  

  For accurate reporting of new and returning visitors. Matomo uses cookies to store some information about visitors between visits. We also use cookies to remember if someone gave consent to tracking, or opted out of tracking. 

  Types of cookies Matomo uses :

  • Matomo by default uses first-party cookies, set on the domain of your site.
  • Cookies created by Matomo start with : _pk_ref, _pk_cvar, _pk_id, _pk_ses. See a list of all Matomo cookies : https://matomo.org/faq/general/faq_146/

  Cookie-less tracking - disable cookies and ensure cookie compliance :

  It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurate. Also, when cookies are disabled, there may still be a few cookies created in specific cases.

  If you disable cookies, Matomo tries to detect unique visitors by a fingerprint based on a few browser attributes : operating system, browser, browser plugins, IP address and browser language.

  By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen. You can also keep tracking when they reject cookie consent by keeping cookies disabled.

  Cookies and the GDPR

  In some countries and according to the GDPR, websites need to provide a way for users to opt-out of all tracking, in particular tracking cookies.

  The GDPR regulates the use of cookies when they compromise an individual’s privacy. When cookies can identify an individual, it is considered personal data.

  

  Cookie compliance and the GDPR

  To be GDPR compliant you must :

  • Receive user consent before using any cookies (except strictly necessary cookies). Read more on cookies that are “clearly exempt from consent”.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent received from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

  Source : https://gdpr.eu/cookies/

  When does GDPR require cookie consent ?

  The purpose of the GDPR is to give individuals control over their personal data. As such this regulation has provisions and requirements which regulate the processing of personal data to protect the privacy of individuals. 

  This means in order to use cookies, you will sometimes need explicit consent from those individuals.

  When does GDPR not require cookie consent ?

  Then there are many cookies that generally do NOT require consent (Source : https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies). 

  These are :

  • user input cookies, for the duration of a session
  • authentication cookies, for the duration of a session
  • user-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
  • multimedia content player session cookies, such as flash player cookies, for the duration of a session
  • load balancing session cookies and other technical cookies, for the duration of session
  • user interface customisation cookies, for a browser session or a few hours, when additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

  Tracking cookies and consent vs legitimate interest

  

  User consent is not always required :

  We understand that whenever you collect and process personal data, you need – almost always – to ask for their consent. However, there are instances where you have to process data under “legitimate interests”. The GDPR states that processing of personal data is lawful “if processing is necessary for the purposes of the legitimate interests”. This means if you have “legitimate interests” you can avoid asking for consent for collecting and processing personal information. Learn more : https://cookieinformation.com/resources/blog/what-is-legitimate-interest-under-the-gdpr 

  A lawful basis for processing personal data (proceeding with caution) :

  We’ve also written about having a lawful basis for processing personal data under GDPR with Matomo. The caveat here is you need to have a strong argument for legitimate interests. If you are processing personal data which may represent a risk to the final user, then getting consent is, for us, still the right lawful basis. If you are not sure, at the time of writing ICO is providing a tool in order to help you make this decision.

  How is Matomo Analytics GDPR compliant ?

  Matomo can be configured to automatically anonymise data so you don’t process any personal data. This allows you to completely avoid GDPR. If you decide to process personal data, Matomo provides you with 12 steps to easily comply with the GDPR guidelines.

  New developments on cookies and the GDPR

  In the early days of the GDPR, a spate of cookie management platforms (CMPs) popped up to help websites and people comply with GDPR rules around cookies.

  These have become problematic in recent years. Europe’s highest court ruled pre-checked box for cookie boxes does not give enough consent. 

  As well as that, new research suggests most cookie consent pop-ups in the EU fall short of GDPR. A new study called, ‘Dark Patterns after the GDPR’ from MIT, UCL and Aarhus University found that a vast majority of websites aren’t following GDPR rules around cookies. The study found most cookie consent pop-ups in the EU to be undermining the GDPR by finding sneaky ways to convince website visitors to click ‘accept’.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing cookies. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns. 

  Additional resources :

  • How do the cookie rules relate to the GDPR ? 
  • Cookies, the GDPR, and the ePrivacy Directive

• How to Choose a GDPR Compliant Web Analytics Solution

  2 mars 2022, par Matthieu Aubry — Privacy

  Since the launch of GDPR, one big question has lingered around with uncertainty – is Google Analytics GDPR compliant ? The current GDPR enforcement trend happening across the EU is certainly shedding some light on this question.

  Starting with the Austrian Data Protection Authority’s ruling on Google Analytics and more recently, CNIL (the French Data Protection Authority) has followed suit by also ruling Google Analytics illegal to use. Organisations with EU-based web visitors are now scrambling to find a compliant solution.

  The French Data Protection Authority (CNIL) has already started delivering formal notices to websites using Google Analytics, so now is the time to act. According to CNIL, organisations have two options :

  1. Ceasing use of the Google Analytics functionality (under the current conditions) 
  2. Use a compliant web analytics tool that does not transfer data outside the EU

  Getting started 

  For organisations considering migrating to a compliant web analytics tool, I’ve outlined below the things you need to consider when weighing up compliant web analytics tools. Once you’ve made a choice, I’ve also included a step-by-step guide to migrating away from Google Analytics. This guide is useful regardless of which GDPR compliant analytics provider you choose.

  Before getting started, I recommend that you document your findings against the following considerations while reviewing GDPR compliant Google Analytics alternatives. This document can then be shared with your Data Protection Officer (DPO) to get their final recommendation.

  10 key considerations when selecting a GDPR compliant web analytics tools

  Many tools will claim to be GDPR compliant so it’s important that you do your due diligence and review tools against the following considerations. 

  1. Where does the tool store data ? 

  The rulings in France and Austria were based on the fact that Google Analytics stores data in the US, which does not have an adequate level of data protection. Your safest option is to find a tool that legally stores data in the EU.

  You should be able to find out where the data is stored in the organisation’s privacy policy. Generally, data storage information can be found under sections titled “Subprocessors” and “Third-party services”. Check out the Matomo Privacy Policy as an example. 

  If you’re unable to easily find this information or it’s unclear, reach out to the organisation for more information.

  2. Does the tool offer anonymous tracking ?

  Anonymous tracking comes with many benefits, including :

  • The ability to track visitors without a cookie consent screen. Due to the privacy-respecting aspect of cookieless tracking, you don’t need to worry about the extra steps involved with compliant cookie banners.
  • More accurate data. When visitors deny tracking cookies, you lose out on valuable data. With anonymous tracking there is no data lost as you don’t need consent to track.
  • Simplified GDPR compliance. With this enabled, there are fewer steps you need to take to get GDPR compliant and stay GDPR compliant.

  For those reasons, it may be important for you to select a tool that offers anonymous tracking functionalities. The level of anonymous tracking you require will depend on your situation but you should look out for tools that allow you to :

  • Disable fingerprinting 
  • Disable user profiles 
  • Anonymise data
  • Cookieless tracking

  If you want to read more about data anonymization, check out this guide on data anonymization in web analytics.

  3. Does the tool integrate with my existing tech stack ?

  You’ll want to ensure that a new web analytics tool will play well with other tools in your tech stack including things like your CMS (content management system), eCommerce shop, etc. You should list out all the existing tools that currently integrate with your Google Analytics and check that the same integrations can be re-created with the new tool, via integrations or APIs.

  If not, it could become costly trying to connect your existing tech stack to a new solution.

  4. Does the tool offer the same features and insights you are currently using in Google Analytics ? Or more, if necessary ? 

  Just because you are moving to a new web analytics platform, doesn’t mean you have to give up the insights, reports and features you’ve grown accustomed to with Google Analytics. Ensuring that a new platform provides the same features and reports that you value the most will result in a smoother transition away from Google Analytics.

  It’s unlikely that a new tool will have all of the same features as Google Analytics, so I’d recommend listing out and prioritising your business-critical features and reports. 

  If I had to guess, you probably set up Google Analytics years ago because it was the default option. Now is your chance to make the most of this switch from Google Analytics and find a tool that offers additional reports and features that better aligns with your business. If time permits, I’d highly recommend that you consider other features or reports that you might have been missing out on while using Google Analytics.

  Check out this comparison of Google Analytics vs Matomo to see side-by-side feature comparison.

  5. Does the tool accept Google Analytics data imports ? 

  The historical data in Google Analytics is a critical asset for many businesses. Fortunately, some tools accept Google Analytics data imports so you don’t lose all of the data you’ve generated over time.

  However, it’s important to note that any data you import from Google Analytics to a new tool needs to be compliant data. I’ll cover this more below.

  6. Does the tool provide conversion tracking exports ? 

  Do you invest in paid advertising ? If you do, then tracking the conversions from people clicking on these paid ads is critical in assessing your return on investment. Since sending IP addresses or other personal information to the US is illegal under GDPR, we can only assume that this will also apply to advertising pixel/conversion tracking (e.g., Facebook pixel, Google Ads conversion tracking, etc). 

  As an example, Matomo offers conversion tracking exports so you can get a better understanding of ad performance while meeting privacy laws and without requiring consent from users. See how it works with Matomo’s conversion tracking exports. 

  7. How will you train up your in-house team ? Or can you hire a contractor ?

  This is a common concern of many, and rightfully so. You’ll want to confirm what resources are readily available so you can hit the ground running with your new web analytics tool. If you’d prefer to train up your in-house team, check the provider’s site for training resources, videos, guides, etc.

  If you’d rather hire an external contractor, we recommend heading to LinkedIn, reaching out to your community or asking the provider if they have any recommendations for contractors.

  In addition, check that the provider offers technical support or a forum, in case you have specific questions and need help.   

  8. Does the tool offer self-hosting ? (optional)

  For organisations that want full control over their data and storage location, an on-premise web analytics tool will be the preferred option. From a GDPR perspective, this is also the easiest option for compliance.

  Keep in mind that this requires resources, regular maintenance, technical knowledge and/or technical consultants. If you’re unsure which option is best for your organisation, check out our on-premise vs cloud web analytics comparison breakdown.

  Find out more about self-hosting Matomo.

  9. Is the tool approved by the CNIL for tracking without consent ?

  This is an important step for websites with French users. This step will help narrow down your selection of tools. The CNIL offers a programme to identify web analytics solutions that can be used without tracking consent. The CNIL’s list of recommended web analytics tools can act as your starting point for solutions to review.

  While this step is specific to sites with French users, it can also be helpful for websites with visitors from any other EU country.

  Benefits of consent-free tracking

  There are many benefits of tracking without consent.
  

  For one, it simplifies GDPR compliance and reduces the chances of GDPR breaches and fines. Cookie consent screens have recently been the target for EU Data Protection Authorities because many websites are unknowingly serving cookie consent screens that do not meet GDPR requirements. 

  Yet another benefit, and quite possibly the most important is more accurate data. Even if a website displays a user-friendly, lawful consent screen, the majority of users will either ignore or reject cookie consent. Legally website owners can’t track anything unless the visitor gives consent. So not having a cookie consent screen ensures that every visit is tracked and your web analytics data is 100% accurate. 

  Lastly, many visitors have grown fatigued and frustrated with invasive cookie consent screens. Not having one on your site creates a user-friendly experience, which will likely result in longer user sessions and lower bounce rates.

  10. Does the tool offer a Data Processing Agreement (DPA) ? 

  Technically, any GDPR compliant web analytics tool should offer a DPA but for the sake of completeness, I’ve added this as a consideration. Double check that any tools you are looking at provide this legally binding document. This should be located in the Privacy Policy of the web analytics provider, if not reach out to request it.

  As an example, here’s Matomo’s Data Processing Agreement which can be found in our Privacy Policy under Subprocessors. 

  That wraps up the key considerations. When it comes to compliance, privacy and customer data, Matomo leads the way. We are looking forward to helping you achieve GDPR compliance easily. Start your free 21-day trial of Matomo now – no credit card required.

  Try Matomo Cloud

  A step-by-step guide to migrating from Google Analytics

  Once you’ve identified a tool that suits your needs and your Data Protection Officer (DPO) has approved, you’re ready to get started. Here’s a simple step-by-step guide with all the important steps for you to follow :

  1. Before getting started, you should sign or download the Data Processing Agreement (DPA) offered by your new web analytics provider.

  2. Register for the new tool and configure it for compliance. The provider should offer guides on how to configure for GDPR compliance. This will include things like giving your users an easy way to opt-out of all tracking, turning on cookieless tracking or asking users for consent and anonymizing data and IP addresses, for instance.

  3. Inform your organisation about the change. Whether your colleagues use the tool or not, it’s important that you share information about the new tool with your staff. Let them know what the tool will be used for, who will use the tool and how it complies with GDPR. 

  4. Let your DPO know that you’ve removed Google Analytics and have implemented the new tool.

  5. Update your records of processing activities to include the new tool.

  6. Update your privacy policy. You’ll need to include details about the web analytics provider, where the data is stored, what data is being collected, how long the data will be stored and why the data is being collected. The web analytics tool should readily have this information for you.

  As an example, if you decide to use Matomo as your web analytics tool, we provide a Privacy Policy template for you to use on your site and a guide on how to complete your privacy policy under GDPR with Matomo. Note that these are only applicable if you are using Matomo.

  In addition, if the tool has an opt-out feature, you will also need to put the opt-out into the privacy policy (e.g., when using cookieless tracking).

  7. Now, the exciting part. Add the tracking code to your site by following the steps provided by the web analytics tool. 

  If you’re not comfortable with this step, the provider should offer steps to do this and you can share this with your web developer.

  8. Once added, login to your tool and check to see if traffic is being tracked.

  9. If your tool does not offer Google Analytics data imports or you do not need the historical data in your new tool, go to step 11. 

  To plan for your Google Analytics data migration, you’ll first need to establish what historical data is compliant with GDPR.

  For example, you shouldn’t import any data stored beyond the retention period established in your Privacy Policy or any personally identifiable information (PII) like IP addresses that aren’t anonymised. Discuss this further with your DPO.

  10. Once you’ve established what data you can legally import, then you can begin the import. Follow the steps provided by your new web analytics solution provider.

  11. Remove Google Analytics tracking code from your site. This will stop the collection of your visitors data by Google as well as slightly increase the page load speed.

  If you still haven’t made a choice yet, try Matomo free for 21-days and see why over 1 million websites choose Matomo. 

• Protecting consumer privacy : How to ensure CCPA compliance

  18 août 2023, par Erin — CCPA, Privacy

  The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California. 

  It grants consumers six rights, like the right to know what personal information is being collected about them by businesses and others. 

  CCPA also requires businesses to provide notice of data collection practices. Consumers can choose to opt out of the sale of their data. 

  In this article, we’ll learn more about the scope of CCPA, the penalties for non-compliance and how our web analytics tool, Matomo, can help you create a CCPA-compliant framework.

  What is the CCPA ? 

  CCPA was implemented on January 1, 2020. It ensures that businesses securely handle individuals’ personal information and respect their privacy in the digital ecosystem. 

  

  CCPA addresses the growing concerns over privacy and data protection ; 40% of US consumers share that they’re worried about digital privacy. With the increasing amount of personal information being collected and shared by businesses, there was a need to establish regulations to provide individuals with more control and transparency over their data. 

  CCPA aims to protect consumer privacy rights and promote greater accountability from businesses when handling personal information.

  Scope of CCPA 

  The scope of CCPA includes for-profit businesses that collect personal information from California residents, regardless of where you run the business from.

  It defines three thresholds that determine the inclusion criteria for businesses subject to CCPA regulations. 

  Businesses need to abide by CCPA if they meet any of the three options :

  1. Revenue threshold : Have an annual gross revenue of over $25 million.
  2. Consumer threshold : Businesses that purchase, sell or distribute the personal information of 100,000 or more consumers, households or devices.
  3. Data threshold : Businesses that earn at least half of their revenue annually from selling the personal information of California residents.

  What are the six consumer rights under the CCPA ? 

  Here’s a short description of the six consumer rights. 

  

  1. Right to know : Under this right, you can ask a business to disclose specific personal information they collect about you and the categories of sources of the information. You can also know the purpose of collection and to which third-party the business will disclose this info. This allows consumers to understand what information is being held and how it is used. You can request this info for free twice a year.
  2. Right to delete : Consumers can request the deletion of their personal information. Companies must comply with some exceptions.
  3. Right to opt-out : Consumers can deny the sale of their personal information. Companies must provide a link on their homepage for users to exercise this right. After you choose this, companies can’t sell your data unless you authorise them to do so later.
  4. Right to non-discrimination : Consumers cannot be discriminated against for exercising their CCPA rights. For instance, a company cannot charge different prices, provide a different quality of service or deny services.
  5. Right to correct : Consumers can request to correct inaccurate personal information.

  6. Right to limit use : Consumers can specify how they want the businesses to use their sensitive personal information. This includes social security numbers, financial account details, precise geolocation data or genetic data. Consumers can direct businesses to use this sensitive information only for specific purposes, such as providing the requested services.

  Penalties for CCPA non-compliance 

  52% of organisations have yet to adopt CCPA principles as of 2022. Non-compliance can attract penalties.

  

  Section 1798.155 of the CCPA states that any business that doesn’t comply with CCPA’s terms can face penalties based on the consumer’s private right to action. Consumers can directly take the company to the civil court and don’t need prosecutors’ interventions. 

  Businesses get a chance of 30 days to make amends for their actions. 

  If that’s also not possible, the business may receive a civil penalty of up to $2,500 per violation. Violations can be of any kind, even accidental. An intentional violation can attract a fine of $7,500. 

  Consumers can also initiate private lawsuits to claim damages that range from $100 to $750, or actual damages (whichever is higher), for each occurrence of their unredacted and unencrypted data being breached on a business’s server.

  CCPA vs. GDPR 

  Both CCPA and GDPR aim to enhance individuals’ control over their personal information and provide transparency about how their data is collected, used and shared. The comparison between the CCPA and GDPR is crucial in understanding the regulatory framework of data protection laws.

  Here’s how CCPA and GDPR differ :

  Scope

  • CCPA is for businesses that meet specific criteria and collect personal information from California residents. 
  • GDPR (General Data Protection Regulation) applies to businesses that process the personal data of citizens and residents of the European Union.

  Definition of personal information

  • CCPA includes personal information broadly, including identifiers such as IP addresses and households. Examples include name, email id, location and browsing history. However, it excludes HIPAA-protected medical data, clinical trial data and other personal information from government records.
  • GDPR covers any personal data relating to an identified or identifiable individual, excluding households. Examples include the phone number, email address and personal identification number. It excludes anonymous and deceased person’s data.

  

  Consent

  • Under the CCPA, consumers can opt out of the sale of their personal information.
  • GDPR states that organisations should obtain explicit consent from individuals for processing their personal data.

  Rights

  • CCPA grants the right to know what personal information is being collected and the right to request deletion of their personal information.
  • GDPR also gives individuals various rights, such as the right to access and rectify their personal data, the right to erasure (also known as the right to be forgotten) and also the right to data portability. 

  Enforcement

  • For CCPA, businesses may have to pay $7,500 for each violation. 
  • GDPR has stricter penalties for non-compliance, with fines of up to 4% of the global annual revenue of a company or €20 million, whichever is higher.

  A 5-step CCPA compliance framework 

  Here’s a simple framework you can follow to ensure compliance with CCPA. Alongside this, we’ll also share how Matomo can help. 

  Matomo is an open-source web analytics platform trusted by organisations like the United Nations, NASA and more. It provides valuable insights into website traffic, visitor behaviour and marketing effectiveness. More than 1 million websites and apps (approximately 1% of the internet !) use our solution, and it’s available in 50+ languages. Below, we’ll share how you can use Matomo to be CCPA compliant.

  1. Assess data

  First, familiarise yourself with the California Consumer Privacy Act and check your eligibility for CCPA compliance. 

  For example, as mentioned earlier, one threshold is : purchases, receives or sells the personal data of 100,000 or more individuals or households. 

  But how do you know if you have crossed 100K ? With Matomo ! 

  Go to last year’s calendar, select visitors, then go to locations and under the “Region” option, check for California. If you’ve crossed 100K visitors, you know you have to become CCPA compliant.

  

  Identify and assess the personal information you collect with Matomo.

  2. Evaluate privacy practices

  Review the current state of your privacy policies and practices. Conduct a thorough assessment of data sharing and third-party agreements. Then, update policies and procedures to align with CCPA requirements.

  For example, you can anonymise IP addresses with Matomo to ensure that user data collected for web analytics purposes cannot be used to trace back to specific individuals.

  

  If you have a consent management solution to honour user requests for data privacy, you can also integrate Matomo with it. 

  3. Communicate 

  Inform consumers about their CCPA rights and how you handle their data.

  Establish procedures for handling consumer requests and obtaining consent. For example, you can add an opt-out form on your website with Matomo. Or you can also use Matomo to disable cookies from your website.

  

  Documenting your compliance efforts, including consumer requests and how you responded to them, is a good idea. Finally, educate staff on CCPA compliance and their responsibilities to work collaboratively.

  4. Review vendor contracts

  Assessing vendor contracts allows you to determine if they include necessary data processing agreements. You can also identify if vendors are sharing personal information with third parties, which could pose a compliance risk. Verify if vendors have adequate security measures in place to protect the personal data they handle.

  That’s why you can review and update agreements to include provisions for data protection, privacy and CCPA requirements.

  Establish procedures to monitor and review vendor compliance with CCPA regularly. This may include conducting audits, requesting certifications and implementing controls to mitigate risks associated with vendors handling personal data.

  5. Engage legal counsel

  Consider consulting with legal counsel to ensure complete understanding and compliance with CCPA regulations.

  Finally, stay updated on any changes or developments related to CCPA and adjust your compliance efforts accordingly.

  Matomo and CCPA compliance 

  There’s an increasing emphasis on privacy regulations like CCPA. Matomo offers a robust solution that allows businesses to be CCPA-compliant without sacrificing the ability to track and analyse crucial data.

  You can gain in-depth insights into user behaviour and website performance — all while prioritising data protection and privacy. 

  Request a demo or sign up for a free 21-day trial to get started with our powerful CCPA-compliant web analytics platform — no credit card required. 

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to CCPA. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.